Friday 28 January 2011

Why education on exploitation isn't helping security

To start off, I feel it imperative I give a little background, I'm a student at university in London (don't worry I know the little value that a degree has), and I want to get into infosec.*
And as I want the best chance of getting into the industry, I'm generalising the things I'm learning. Learning about networking, exploiting machines on Windows, and linux, different exploits and how they work, web application hacking, but the one thing that bothers me by far the most out of everything I've read, is that you are nearly never told how to prevent the problem. You are told the reason why something has a vulnerability in, but not how to stop it occurring.
I know some vulnerabilities are easy to sort the problem, whether it be not using strcpy(), and using strncpy() instead, but it isn't always the case. Whenever you read about webapp hacking, with all the different problems that can be sorted by input sanitisation, but you are nearly never told how to do this effectively, since just reading this once may make you believe you can just easily sort the problem, but they may not consider unicode encoding, or recursive sanitisation, where a program may get delete %22 if it occurs in the string, but this could cause %%2222 to work since it only checks the string once.
In the end, I can only think of 3 reasons why authors and such do not write about how to defend against  or fix these vulnerabilities:
  • It may be a case by case basis,
  • It isn't what people want to read about. We want to see about how to get into somebody's machine, our 'end result'
  • The person writing actually has no idea about how to defend against or fix the vulnerability.

Case by case
Now I can understand this for quite a few vulnerabilities, as it may be a slight coding error, or even a design fault. The first may be specific to the program or project, where they haven't thought about everything that could happen, and the latter can't really be changed unless you take the 'feature' out, or change it so that it cannot be used in that way.
But this isn't to say you couldn't tell people how to protect against the vulnerability. For example, if somebody is willing to write a short C program showing exploitable code, why can't they show the fixed program? The programs often used to show vulnerabilities are very short programs that clearly show the vulnerability, also meaning they are usually very easy to fix and easy to show the differences in code.
I fully understand that not all cases can be shown, but I think just a general helping could go a long way.

Reader doesn't want to know
This reason (presuming it is a valid reason) especially annoys me. This is because, if you ever read in a book on hacking, or exploitation, where it says in the book who the book was made for, it states something like "hackers, people in the information security industry and system administrators wanting to understand how hackers work," but how is this true for the last group of people? Somebody on the defensive side would want to know what causes the exploit, and then more importantly how to fix it. There's no point finding a vulnerability in your own code, then doing a bad job trying to fix the problem, and actually not completely fixing it.
The same goes for courses I have taken, they may show you methodology, or information about hacking, or vulnerabilities but may not show you how to fix the problem, but give a general explanation of how to fix it.
Plus if you're a pentester and you don't believe fixing the problem is part of your 'end result' then I think you should be in another job, since you are not helping the customer at all, but just getting paid to hack into a company's network. The main reason for a company to do a pentest or vulnerability assessment is their ROI (return on investment). There are solutions that don't need much detail, like specific patches they need, but if you're putting "SQL injections possible in form xyz, better input sanitisation needed" then that doesn't give them much information. And the only way to properly help them is to know how to do it yourself since if you give some example code on how to fix it, and they take the code, implement it, and a similar problem happens, then it is you, not the company who hired you, who is at fault (except maybe they are at fault for hiring you in the first place).

Author doesn't know how to fix the vulnerability

This reason doesn't annoy me, but would really worry me.
I couldn't give a crap who the author is, or the person giving the course is, if they don't know how to fix the basic vulnerability or exploit they are showing you how to do, then I don't want to be learning from them, as I don't think they have the right to tell teach anybody anything. I wouldn't teach somebody how to take a car engine apart if I didn't know how to put it back together, so why should they teach me how to break something without being able to tell me how to fix it?

People in information security are constantly complaining about the same old vulnerabilities in 'crappy', but is it any surprise when you have often have to go the extra mile to find out about fixing problems? It just shows that a lot of people don't really care about fixing stuff, because they're not on the programmers' side. They just want to break stuff and be a "1337 h4X0R Wh0 pWNd uR M4cH1N3."

In the end, not everything is bad, but there is a lot of information out there, and most of it doesn't help security,**


p.s. If you know of any good books or courses that go over exploitation & then how to fix the vulnerability, please leave a comment.

*I know getting into the information security industry from university is often not the best way, but I feel the fact I want to get into infosec now, and that I'm willing to spend days researching old and new ways to find vulnerabilities, and trying to discover vulnerabilities myself, whilst also taking the OSCP certification at the same time as my degree shows some of my dedication, and I feel although the better way, it is not necessarily the right way for me to get into infosec.
**It can be debated that finding more vulnerabilities & making the vendor create a patch is helping security, though I am basing this more on a penetration testing/vulnerability assessment view or the view of a vulnerability researcher trying to find vulnerabilities in their own company's programs.

Monday 24 January 2011

Self Improvement working within information security

.....and why it makes it more and more difficult to get into the industry.

Everything in IT is constantly changing, and it is exactly the same within infosec.  Whether working as a penetration tester, a social engineer, a hardware hacker, or even as somebody defending your company servers against tyrants of people trying to hack in. It doesn't change the fact that the field is constantly changing.
But this constant advancement is a double-edged sword, making people need to constantly strive to learn new things, but at the same time making it difficult impossible to keep up. But with all this constant change making it difficult for people to keep up, how is anybody new supposed to get in on the action?

Since technology is constantly changing it means that there are many companies still with legacy systems, meaning you need to know not only the new exploits, and architectures coming in, and the ever-growing scope of attack, but the old systems that still plague offices (and banks and supermarkets and bedrooms and ....) all over the world.
Even if you're not a vulnerability researcher, and are just somebody who dips their toes in a bit of everything in infosec, you may not need to know how things work down to the bit-level, but you still need to constantly keep up. You need to keep pushing yourself to keep learning, and that's something that people in information security all have in common. The curiosity that they want to know. They want to keep learning, want to keep reading blog posts, and whitepapers, listening to podcasts. They want to know why something works, and how it does it, and then how to break it.

But this can also make it very difficult for people trying to get into the industry.
  • To me, there are 3 kinds of people wanting to get into infosec: The people coming straight from university (like myself), who have become really interested in computer security, 
  • Those coming from another department of IT, that want to move into security
  • Those who are neither, more often younger people who didn't get to go to university, and might have a low level job in IT, or no job at all.

The first category, of being a student, or somebody younger who have become really interested in the infosec industry and want to learn more and more about it, and then, obviously try to make it a profession.
The biggest problem here is experience. Since they won't have as much experience as somebody who has been working with technology day-in, day-out, it makes it feel as if there is a huge amount to catch up on before they have even started. They might not have administered lots of different servers over many years, they won't necessarily know about certain configuration problems, or what certain errors mean, and these are mainly small things, but a lot of them can add up, but is all this just to say that they are no good? Of course not, it would be stupid to dismiss somebody as they haven't been working in IT for years.
The second way I think of getting into infosec, I believe the more common way, is to come from somewhere else in IT.
But this also brings with it a disadvantage, in that, a lot of jobs in IT may not have the same growth and may not move as fast infosec, so the people coming from these areas may not be used to the pace and it could come as a shock to the system to have such an overload of information.
And the last option is somebody who has just become really enthusiastic about security (I'm not including script kiddies who are just going through a phase), but again don't have the experience, and may not have the qualifications to get their resume past the HR department, but just because they don't, who is to say they cannot make it? I would rather talk to somebody enthusiastic about security that sees it as a way of life, who wants the constant learning, than say a master's student straight out of university who doesn't care about it and just wants it as a job.

But either way, there is the HUGE problem of having to learn the stuff that everyone in infosec already knows, while at the same time trying to learn everything that is currently coming out, and I think this may be putting people off and not allowing people into the industry.
Either way, I believe getting into security is really challenging, let alone staying there, and more importantly wanting to stay in the industry.